Re: [mod-security-users] chaining a current rule via id
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] chaining a current rule via id
|
From: Ofer S. <OferS@Breach.com> - 2006-11-30 22:50:10
|
=20
Your rule will exclude if there is a referer header at all, and not just
if the offending value appears in the referer header.
=20
What you would want to do is use the following location:
REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Refere
r
=20
This way you exclude the referer header from the list of locations
searched.
=20
To get:
SecRule REQUEST
REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Refere
r
"(?:(?:[\;\|]\W*?\b(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|e
rl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)
?rm|ls(?:of)?|telnet|uname|echo|id)|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p
(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:
\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id))\b|\b(?:(?:n(?:et(?:
\b\W*?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe
|clsh8?|ftp)|w(?:g(?:uest\.exe|et)|sh\.exe)|(?:rcmd|ftp)\.exe|echo\b\W*?
\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\\\/c)|hmod\b\.{1,100}?\+.{1,3}x|d
\b(?:\W*?\\\/|\W*\b..))))" \
=20
"deny,auditlog,id:50006,severity:4,msg:'(default/generic_attacks.conf)
System Command Injection'"
By the way, you may have noticed in the rule set that I assumed that SQL
injection and XSS would generate false positives on the referer header
and it is already excluded in the rule set. I did not anticipate for
command injections. Can you tell me what pattern in the referer triggers
this?
=20
Thanks
~ Ofer
=20
________________________________
From: mod...@li...
[mailto:mod...@li...] On Behalf Of
Dan Rossi
Sent: Thursday, November 30, 2006 5:32 AM
To: mod...@li...
Subject: [mod-security-users] chaining a current rule via id
=20
hi i would like to turn this rule off being triggered by the referer
header so passthrough if its a referer header for a location as its seem
to trapping,=20
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS
"(?:(?:[\;\|]\W*?\b(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|e
rl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)
?rm|ls(?:of)?|telnet|uname|echo|id)|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p
(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:
\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id))\b|\b(?:(?:n(?:et(?:
\b\W*?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe
|clsh8?|ftp)|w(?:g(?:uest\.exe|et)|sh\.exe)|(?:rcmd|ftp)\.exe|echo\b\W*?
\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\\\/c)|hmod\b\.{1,100}?\+.{1,3}x|d
\b(?:\W*?\\\/|\W*\b..))))" \
=20
"deny,auditlog,id:50006,severity:4,msg:'(default/generic_attacks.conf)
System Command Injection'"
im not very crash hot with my regexp, is this right ?
SecRule REQUEST_HEADERS "!(Referer)"
"chain,deny,auditlog,id:50006,severity:4,msg:'(custom.conf) System
Command Injection'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS
"(?:(?:[\;\|]\W*?\b(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|e
rl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)
?rm|ls(?:of)?|telnet|uname|echo|id)|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p
(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:
\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id))\b|\b(?:(?:n(?:et(?:
\b\W*?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe
|clsh8?|ftp)|w(?:g(?:uest\.exe|et)|sh\.exe)|(?:rcmd|ftp)\.exe|echo\b\W*?
\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\\\/c)|hmod\b\.{1,100}?\+.{1,3}x|d
\b(?:\W*?\\\/|\W*\b..))))" \
=20
"deny,auditlog,id:50006,severity:4,msg:'(default/generic_attacks.conf)
System Command Injection'"
it seems i have to do this for alot of rules and locations, id rather
not have to copy over the entire rule to override, just chain a rule by
its id, is it possible ?
|